56 BIT ENCRYPTION IS A GOOD START, BUT IS NOT ENOUGH (Senate - October 09, 1998)

[Page: S12151]

Mr. LOTT. Mr. President, the White House recently announced that it would allow some relaxation of its encryption export controls to allow the sale of strong encryption products to companies in the finance, insurance, and health sectors and to certain companies engaged in electronic commerce. While the specific details have yet to be articulated in revised regulations, it appears that the Administration is finally heeding Congress' calls to modernize its export control regulations. While this action is a step in the right direction, I believe the Administration is still moving too slowly and incrementally. Even with these proposed changes, there are still a number of other businesses and consumers who will not be able to utilize strong American-made encryption products. Since export restrictions will remain in place, foreign suppliers will continue to develop and sell strong encryption products in the international marketplace without real competition from U.S. providers. Putting $60 billion and over 200,000 American jobs in jeopardy over the next few years.

Unfortunately, the Administration continues to pursue an outmoded policy that supports the broad use of 56-bit encryption for the vast majority of computer users. As my colleagues are aware, the government-approved 56-bit Data Encryption Standard was recently cracked last July in just 56 hours. This is particularly alarming because it was accomplished using a single computer instead of the thousands that were linked together just a few months ago to achieve the same result in 39 days.

Fortunately, this code-breaking effort was undertaken by contest participants as part of an international challenge instead of by hackers or thieves preying on a vulnerable, unsuspecting target. It is truly scary to see how easy it is for someone's medical, financial, or personal records to be accessed and read by unauthorized persons. Ironically, the decoded message read, `It's time for those 128-, 192-, and 256-bit keys.'

This feat proves what many in Congress have been stating for some time, that 56-bit encryption can no longer protect individual or corporate computer files from unauthorized access. Yet, 56- bit encryption continues to be recognized as the government standard and U.S. companies can only sell advanced encryption software and hardware to a finite community abroad. Let us be clear; the Administration's export regime affects American citizens everywhere. Whether you communicate via the Internet, or work in the technology business, you are likely to be adversely affected by the Administration's current encryption policy. A policy that does not allow the sale of strong encryption to energy suppliers, telecommunication providers, the transportation industry, human rights organizations and the vast majority of legitimate and responsible business entities and consumers throughout the globe. Ultimately, this approach promotes the use and development of weak encryption. While I welcome the White House's recent announcement to relax some export controls, the Administration's proposal simply does not go far enough.

Mr. President, it is encouraging that the Minority Leader has actively engaged himself on the encryption issue. In a floor speech last July, Senator Daschle agreed that America's encryption policy needs to strike a balance between privacy protections and national security and law enforcement interests. The Minority Leader recognizes that the development and use of strong encryption products promote international commerce and Internet use as well as ensure privacy and aid national security. Senator Daschle is also equally alarmed that, `maintaining existing encryption policies will cost the U.S. economy as much as $96 billion over the next 5 years . . .' I agree with Senator Daschle's comments that the Administration needs to articulate and advance an encryption agreement that is `good for consumers, good for business, and good for law enforcement and national security.' Similarly, we agree that it is time to move beyond endless discussion and debate and on to a balanced and complete solution.

Mr. President, with every passing month, consumers across the globe turn to foreign suppliers for their advanced encryption needs. If a solution that reverses this trend is not found soon, then America's computer industry will fall so far behind its foreign competitors that U.S. suppliers will lose forever their technology market share to European, Asian, and other foreign manufacturers. Congress and the Administration cannot allow this happen.

As Senator Daschle pointed out, the computer industry and privacy groups are serious about reaching a compromise on encryption. In May, for example, Americans for Computer Privacy (ACP), a technology policy group, submitted a seven-point proposal to the Administration which would provide U.S. manufactures the ability to sell the kind of encryption technology that is already widely available abroad. In July, an industry consortium announced the `Private Doorbells' proposal to assist law enforcement. This proposal was a reasonable attempt to find an alternative to the White House`s call for a national key escrow framework. Fortunately, the Administration finally appears to recognize that a third party key recovery system is technically unworkable and unnecessary.

I believe Congress is still interested in modernizing the Nation's encryption policy based on current realities. As Senator Daschle observed, several cryptography bills have been offered during this session. Clearly though, they are not all created equal. Some of these legislative proposals would turn back the clock by putting controls on domestic encryption where no such controls currently exist. Others would completely sacrifice constitutional protections by allowing law enforcement to read personal computer files without a court order and without the target ever knowing their files had been accessed. There are also proposals that would require an expensive, technically unworkable key escrow system. Finally, some members advocate linking encryption with other technology issues which could in the end result in no legislation being passed at all.

The encryption debate cannot be resolved by settling on a specific bit-length, giving particular industry sectors export relief while denying others the same, or by sanctioning one technical solution over another. Moreover, this debate will not be resolved by building secret backdoors, frontdoors or any doorways into encryption software.

Mr. President, I look forward to working further with Senator Daschle, my colleagues from both sides of the aisle, the Administration, and the computer industry to help close the gaps that still exist. As the Minority Leader recognizes, this is not about politics or partisanship. This is an urgent matter that requires us all to work together to forge an appropriate solution. One that balances the needs of industry, consumers, and the law enforcement and intelligence communities. In the end, we must have a consensus solution that brings America encryption policy into the 21st Century.